App Store Antitrust: A Cybersecurity Threat Greater than Surveillance Balloons
By Dan Savickas
After a Chinese surveillance balloon hung over the United States for many days, the idea of the balloon hung over President Biden’s recent State of the Union Address. The President said emphatically, “Make no mistake: as we made clear last week, if China threatens our sovereignty, we will act to protect our country. And we did.” Biden is of course referencing the shooting down of said balloon over the Atlantic Ocean after it traversed the length of the nation. However, another under-the-radar line from the President’s speech threatens to undermine this security pledge.
Tucked into the middle of the address, Biden called on Congress to “pass bipartisan legislation to strengthen antitrust enforcement and prevent big online platforms from giving their own products an unfair advantage.” This is almost certainly a nod to bills like the American Innovation and Choice Online (AICO) Act and the Open App Markets Act (OAMA). Both bills have been panned by national security experts for creating vulnerabilities in the digital marketplace.
First, neither Biden nor any of the bill sponsors for this legislation have ever adequately explained why a company should not want to give its own products an advantage. It would seem a very basic rule of economics and business to prefer your own products and to try to advance them at the expense of competitors. AICO and OAMA supporters have never once addressed this simple objection. In fact, it’s not only a simple idea, it’s a good idea and has been happening for years with grocery stores and drug stores. Businesses and consumers have embraced this model.
There is a darker side to AICO and OAMA. Some of the products these companies are supposedly giving an advantage to are things like payment processing systems or security verification software. Eliminating – or severely restricting – the ability of American tech companies to act as gatekeepers on their own devices with their own protocols is a recipe for disaster.
Naturally, several national security experts have already noticed the potential pitfalls of such legislation. Last year, more than a dozen former national security experts sent a letter to congressional leadership. The letter explicitly advised policymakers that legislation like AICO and OAMA would “place U.S. companies at a structural disadvantage vis-à-vis China, leaving our tech industry weakened and vulnerable to the CCP.”
The letter continues, “Government mandates that open our tech platforms to foreign rivals without sufficient safeguards will lead to more malign activity by Russia, China, Iran and North Korea not to mention cyber mercenaries or non-state criminal actors.”
There are reasons beyond monopolistic greed that explain why a big tech company would insist on certain payment processing systems or security verification. They need to engender trust with their customers. Billions of digital transactions happen on mobile devices every year and a great deal of sensitive information is made available. If this ecosystem is not secure, a treasure trove of data immediately becomes available to the adversaries mentioned in the national security letter.
Unfortunately, this is yet another objection that AICO and OAMA proponents are both unable and unwilling to answer. In an open letter to committees of jurisdiction on this matter, prominent AICO and OAMA supporter Bruce Schneier (cybersecurity professor at Harvard) hand-waved away concerns about the national security implications of the bills to which he is lending his support.
Schneier flippantly claims, “App store monopolies cannot protect users from every risk,” essentially conceding that there will be risk involved with the proposals. He continues, “Yes, there is malware. Yes, there are attacks. But there is security and safety as well. Hundreds of companies innovate in this space, developing new security and privacy technologies that we are free to install if we choose.”
The nation learned something very clearly over the last couple of weeks. If there are any vulnerabilities, foreign adversaries will take advantage. That was true with American airspace, and it will be even more so with the digital ecosystem, where so much personal and financial information is exchanged daily. The proper response cannot be to simply shrug and suggest Americans just buy better antivirus software.
If America learned anything from this balloon incident, it is that threats to data security are very real. President Biden can stand before a joint session of Congress and declare fervently he will stand up to any and all threats to the United States. However, those fervent proclamations begin to ring hollow when they are followed by calls to pass legislation that security experts widely agree will exacerbate those very same threats.
Published on February 13, 2023